nautobot 1.6.31__py3-none-any.whl → 1.6.32__py3-none-any.whl

nautobot/circuits/forms.py

@@ -173,6 +173,12 @@ class CircuitTypeForm(NautobotModelForm):
         ]
 
 
+class CircuitTypeFilterForm(NautobotFilterForm):
+    model = CircuitType
+    q = forms.CharField(required=False, label="Search")
+    name = forms.CharField(required=False)
+
+
 class CircuitTypeCSVForm(CustomFieldModelCSVForm):
     class Meta:
         model = CircuitType

nautobot/circuits/views.py

@@ -30,6 +30,7 @@ class CircuitTypeUIViewSet(
 ):
     bulk_create_form_class = forms.CircuitTypeCSVForm
     filterset_class = filters.CircuitTypeFilterSet
+    filterset_form_class = forms.CircuitTypeFilterForm
     form_class = forms.CircuitTypeForm
     queryset = CircuitType.objects.annotate(circuit_count=count_related(Circuit, "type"))
     serializer_class = serializers.CircuitTypeSerializer

nautobot/core/graphql/schema.py

@@ -23,7 +23,7 @@ from nautobot.core.graphql.generators import (
     generate_schema_type,
     generate_null_choices_resolver,
 )
-from nautobot.core.graphql.types import ContentTypeType, DateType
+from nautobot.core.graphql.types import ContentTypeType, DateType, JSON
 from nautobot.dcim.graphql.types import (
     CableType,
     CablePathType,
@@ -84,6 +84,8 @@ CUSTOM_FIELD_MAPPING = {
     CustomFieldTypeChoices.TYPE_DATE: DateType(),
     CustomFieldTypeChoices.TYPE_URL: graphene.String(),
     CustomFieldTypeChoices.TYPE_SELECT: graphene.String(),
+    CustomFieldTypeChoices.TYPE_JSON: JSON(),
+    CustomFieldTypeChoices.TYPE_MULTISELECT: graphene.List(graphene.String),
 }
 
 

nautobot/core/graphql/types.py

@@ -56,3 +56,13 @@ class DateType(graphene.Date):
             return date
         else:
             raise GraphQLError(f'Received not compatible date "{date!r}"')
+
+
+class JSON(graphene.Scalar):
+    @staticmethod
+    def serialize_data(dt):
+        return dt
+
+    serialize = serialize_data
+    parse_value = serialize_data
+    parse_literal = serialize_data

nautobot/core/models/__init__.py

@@ -78,3 +78,5 @@ class BaseModel(models.Model):
         """
         self.full_clean()
         self.save(*args, **kwargs)
+
+    validated_save.alters_data = True

nautobot/core/templates/generic/object_list.html

@@ -217,7 +217,7 @@
         let search_query = new URLSearchParams()
         let dynamic_query = new URLSearchParams(new FormData(document.getElementById("dynamic-filter-form")));
         dynamic_query.forEach((value, key) => { if (value != "") { search_query.append(key, value); }});
-        let default_query = new URLSearchParams(new FormData(document.getElementById("default-filter").firstElementChild));
+        let default_query = new URLSearchParams(new FormData(document.getElementById("default-filter")?.firstElementChild));
         default_query.forEach((value, key) => {
             if (value != "" && !search_query.has(key, value)) { search_query.append(key, value); }
         });

nautobot/core/tests/test_views.py

@@ -1,4 +1,6 @@
+import os
 import re
+import tempfile
 from unittest import mock
 import urllib.parse
 
@@ -133,6 +135,77 @@ class HomeViewTestCase(TestCase):
         self.assertNotIn("Welcome to Nautobot!", response.content.decode(response.charset))
 
 
+class MediaViewTestCase(TestCase):
+    def test_media_unauthenticated(self):
+        """
+        Test that unauthenticated users are redirected to login when accessing media files whether they exist or not.
+        """
+        with tempfile.TemporaryDirectory() as temp_dir:
+            with override_settings(
+                MEDIA_ROOT=temp_dir,
+                BRANDING_FILEPATHS={"logo": os.path.join("branding", "logo.txt")},
+            ):
+                file_path = os.path.join(temp_dir, "foo.txt")
+                url = reverse("media", kwargs={"path": "foo.txt"})
+                self.client.logout()
+
+                # Unauthenticated request to nonexistent media file should redirect to login page
+                response = self.client.get(url)
+                self.assertRedirects(
+                    response, expected_url=f"{reverse('login')}?next={url}", status_code=302, target_status_code=200
+                )
+
+                # Unauthenticated request to existent media file should redirect to login page as well
+                with open(file_path, "w") as f:
+                    f.write("Hello, world!")
+                response = self.client.get(url)
+                self.assertRedirects(
+                    response, expected_url=f"{reverse('login')}?next={url}", status_code=302, target_status_code=200
+                )
+
+    def test_branding_media(self):
+        """
+        Test that users can access branding files listed in `settings.BRANDING_FILEPATHS` regardless of authentication.
+        """
+        with tempfile.TemporaryDirectory() as temp_dir:
+            with override_settings(
+                MEDIA_ROOT=temp_dir,
+                BRANDING_FILEPATHS={"logo": os.path.join("branding", "logo.txt")},
+            ):
+                os.makedirs(os.path.join(temp_dir, "branding"))
+                file_path = os.path.join(temp_dir, "branding", "logo.txt")
+                with open(file_path, "w") as f:
+                    f.write("Hello, world!")
+
+                url = reverse("media", kwargs={"path": "branding/logo.txt"})
+
+                # Authenticated request succeeds
+                response = self.client.get(url)
+                self.assertHttpStatus(response, 200)
+                self.assertIn("Hello, world!", b"".join(response).decode(response.charset))
+
+                # Unauthenticated request also succeeds
+                self.client.logout()
+                response = self.client.get(url)
+                self.assertHttpStatus(response, 200)
+                self.assertIn("Hello, world!", b"".join(response).decode(response.charset))
+
+    def test_media_authenticated(self):
+        """
+        Test that authenticated users can access regular media files stored in the `MEDIA_ROOT`.
+        """
+        with tempfile.TemporaryDirectory() as temp_dir:
+            with override_settings(MEDIA_ROOT=temp_dir):
+                file_path = os.path.join(temp_dir, "foo.txt")
+                with open(file_path, "w") as f:
+                    f.write("Hello, world!")
+
+                url = reverse("media", kwargs={"path": "foo.txt"})
+                response = self.client.get(url)
+                self.assertHttpStatus(response, 200)
+                self.assertIn("Hello, world!", b"".join(response).decode(response.charset))
+
+
 @override_settings(BRANDING_TITLE="Nautobot")
 class SearchFieldsTestCase(TestCase):
     def test_search_bar_redirect_to_login(self):

nautobot/core/urls.py

@@ -1,11 +1,11 @@
 from django.conf import settings
 from django.conf.urls import include, url
 from django.urls import path
-from django.views.static import serve
 
 from nautobot.core.views import (
     CustomGraphQLView,
     HomeView,
+    MediaView,
     StaticMediaFailureView,
     SearchView,
     nautobot_metrics_view,
@@ -38,8 +38,8 @@ urlpatterns = [
     path("api/", include("nautobot.core.api.urls")),
     # GraphQL
     path("graphql/", CustomGraphQLView.as_view(graphiql=True), name="graphql"),
-    # Serving static media in Django
-    path("media/<path:path>", serve, {"document_root": settings.MEDIA_ROOT}),
+    # Serving static media in Django (TODO: should be DEBUG mode only - "This view is NOT hardened for production use")
+    path("media/<path:path>", MediaView.as_view(), name="media"),
     # Admin
     path("admin/", admin_site.urls),
     path("admin/background-tasks/", include("django_rq.urls")),

nautobot/core/views/__init__.py

@@ -1,5 +1,6 @@
 import os
 import platform
+import posixpath
 import sys
 import time
 
@@ -17,6 +18,7 @@ from django.views.decorators.csrf import requires_csrf_token
 from django.views.defaults import ERROR_500_TEMPLATE_NAME, page_not_found
 from django.views.csrf import csrf_failure as _csrf_failure
 from django.views.generic import TemplateView, View
+from django.views.static import serve
 from packaging import version
 from graphene_django.views import GraphQLView
 from prometheus_client import multiprocess
@@ -110,6 +112,25 @@ class HomeView(AccessMixin, TemplateView):
         return self.render_to_response(context)
 
 
+class MediaView(AccessMixin, View):
+    """
+    Serves media files while enforcing login restrictions.
+
+    This view wraps Django's `serve()` function to ensure that access to media files (with the exception of
+    branding files defined in `settings.BRANDING_FILEPATHS`) is restricted to authenticated users.
+    """
+
+    def get(self, request, path):
+        if request.user.is_authenticated:
+            return serve(request, path, document_root=settings.MEDIA_ROOT)
+
+        # Unauthenticated users can access BRANDING_FILEPATHS only
+        if posixpath.normpath(path).lstrip("/") in settings.BRANDING_FILEPATHS.values():
+            return serve(request, path, document_root=settings.MEDIA_ROOT)
+
+        return self.handle_no_permission()
+
+
 class SearchView(AccessMixin, View):
     def get(self, request):
         # if user is not authenticated, redirect to login page

nautobot/dcim/forms.py

@@ -62,6 +62,7 @@ from nautobot.utilities.forms import (
     StaticSelect2,
     StaticSelect2Multiple,
     TagFilterField,
+    BOOLEAN_CHOICES,
 )
 from nautobot.utilities.forms.constants import BOOLEAN_WITH_BLANK_CHOICES
 from nautobot.virtualization.models import Cluster, ClusterGroup
@@ -631,6 +632,12 @@ class RackRoleForm(NautobotModelForm):
         ]
 
 
+class RackRoleFilterForm(NautobotFilterForm):
+    model = RackRole
+    q = forms.CharField(required=False, label="Search")
+    color = forms.CharField(max_length=6, required=False, widget=ColorSelect())  # RGB color code
+
+
 class RackRoleCSVForm(CustomFieldModelCSVForm):
     class Meta:
         model = RackRole
@@ -1014,6 +1021,15 @@ class ManufacturerForm(NautobotModelForm):
         ]
 
 
+class ManufacturerFilterForm(NautobotFilterForm):
+    model = Manufacturer
+    q = forms.CharField(required=False, label="Search")
+    device_types = DynamicModelMultipleChoiceField(
+        queryset=DeviceType.objects.all(), to_field_name="model", required=False
+    )
+    platforms = DynamicModelMultipleChoiceField(queryset=Platform.objects.all(), to_field_name="name", required=False)
+
+
 class ManufacturerCSVForm(CustomFieldModelCSVForm):
     class Meta:
         model = Manufacturer
@@ -1763,6 +1779,12 @@ class DeviceRoleForm(NautobotModelForm):
         ]
 
 
+class DeviceRoleFilterForm(NautobotFilterForm):
+    model = DeviceRole
+    q = forms.CharField(required=False, label="Search")
+    vm_role = forms.ChoiceField(choices=BOOLEAN_CHOICES, required=False, label="VM Role")
+
+
 class DeviceRoleCSVForm(CustomFieldModelCSVForm):
     class Meta:
         model = DeviceRole
@@ -1797,6 +1819,13 @@ class PlatformForm(NautobotModelForm):
         }
 
 
+class PlatformFilterForm(NautobotFilterForm):
+    model = Platform
+    q = forms.CharField(required=False, label="Search")
+    name = forms.CharField(required=False)
+    network_driver = forms.CharField(required=False)
+
+
 class PlatformCSVForm(CustomFieldModelCSVForm):
     manufacturer = CSVModelChoiceField(
         queryset=Manufacturer.objects.all(),

nautobot/dcim/models/device_component_templates.py

@@ -64,6 +64,8 @@ class ComponentTemplateModel(BaseModel, ChangeLoggedModel, CustomFieldModel, Rel
         """
         raise NotImplementedError()
 
+    instantiate.alters_data = True
+
     def to_objectchange(self, action, **kwargs):
         """
         Return a new ObjectChange with the `related_object` pinned to the `device_type` by default.
@@ -96,6 +98,8 @@ class ComponentTemplateModel(BaseModel, ChangeLoggedModel, CustomFieldModel, Rel
             **kwargs,
         )
 
+    instantiate_model.alters_data = True
+
 
 @extras_features(
     "custom_fields",

nautobot/dcim/models/device_components.py

@@ -879,6 +879,8 @@ class InterfaceRedundancyGroup(StatusModel, PrimaryModel):  # pylint: disable=to
         )
         return instance.validated_save()
 
+    add_interface.alters_data = True
+
     def remove_interface(self, interface):
         """
         Remove an interface.
@@ -892,6 +894,8 @@ class InterfaceRedundancyGroup(StatusModel, PrimaryModel):  # pylint: disable=to
         )
         return instance.delete()
 
+    remove_interface.alters_data = True
+
 
 @extras_features(
     "relationships",

nautobot/dcim/models/devices.py

@@ -873,6 +873,8 @@ class Device(PrimaryModel, ConfigContextModel, StatusModel):
             model.objects.bulk_create([x.instantiate(self) for x in templates])
         return instantiated_components
 
+    create_components.alters_data = True
+
     def to_csv(self):
         return (
             self.name or "",

nautobot/dcim/views.py

@@ -511,6 +511,7 @@ class RackGroupBulkDeleteView(generic.BulkDeleteView):
 class RackRoleListView(generic.ObjectListView):
     queryset = RackRole.objects.annotate(rack_count=count_related(Rack, "role"))
     filterset = filters.RackRoleFilterSet
+    filterset_form = forms.RackRoleFilterForm
     table = tables.RackRoleTable
 
 
@@ -764,6 +765,7 @@ class ManufacturerListView(generic.ObjectListView):
         platform_count=count_related(Platform, "manufacturer"),
     )
     filterset = filters.ManufacturerFilterSet
+    filterset_form = forms.ManufacturerFilterForm
     table = tables.ManufacturerTable
 
 
@@ -1241,6 +1243,7 @@ class DeviceRoleListView(generic.ObjectListView):
         vm_count=count_related(VirtualMachine, "role"),
     )
     filterset = filters.DeviceRoleFilterSet
+    filterset_form = forms.DeviceRoleFilterForm
     table = tables.DeviceRoleTable
 
 
@@ -1300,6 +1303,7 @@ class PlatformListView(generic.ObjectListView):
         vm_count=count_related(VirtualMachine, "platform"),
     )
     filterset = filters.PlatformFilterSet
+    filterset_form = forms.PlatformFilterForm
     table = tables.PlatformTable
 
 

nautobot/extras/forms/forms.py

@@ -103,6 +103,7 @@ __all__ = (
     "CustomFieldModelCSVForm",
     "CustomFieldBulkCreateForm",  # 2.0 TODO remove this deprecated class
     "CustomFieldChoiceFormSet",
+    "CustomFieldViewFilterForm",
     "CustomLinkForm",
     "CustomLinkFilterForm",
     "DynamicGroupForm",
@@ -400,6 +401,17 @@ class CustomFieldForm(BootstrapMixin, forms.ModelForm):
         )
 
 
+class CustomFieldViewFilterForm(BootstrapMixin, forms.Form):
+    model = CustomField
+    q = forms.CharField(required=False, label="Search")
+    content_types = MultipleContentTypeField(
+        queryset=ContentType.objects.filter(FeatureQuery("custom_fields").get_query()),
+        choices_as_strings=True,
+        required=False,
+        label="Content Type(s)",
+    )
+
+
 class CustomFieldModelCSVForm(CSVModelForm, CustomFieldModelFormMixin):
     """Base class for CSV export of models that support custom fields."""
 

nautobot/extras/models/customfields.py

@@ -241,6 +241,8 @@ class CustomFieldModel(models.Model):
                 elif cf.required:
                     raise ValidationError(f"Missing required custom field '{cf.name}'.")
 
+    clean.alters_data = True
+
     # Computed Field Methods
     def has_computed_fields(self, advanced_ui=None):
         """

nautobot/extras/models/datasources.py

@@ -130,6 +130,8 @@ class GitRepository(PrimaryModel):
         """
         self._dryrun = True
 
+    set_dryrun.alters_data = True
+
     def save(self, *args, trigger_resync=True, **kwargs):
         if self.__initial_token and self._token == self.TOKEN_PLACEHOLDER:
             # User edited the repo but did NOT specify a new token value. Make sure we keep the existing value.

nautobot/extras/models/groups.py

@@ -357,6 +357,8 @@ class DynamicGroup(OrganizationalModel):
 
         return self.members_cached
 
+    update_cached_members.alters_data = True
+
     def has_member(self, obj, use_cache=False):
         """
         Return True if the given object is a member of this group.
@@ -460,6 +462,8 @@ class DynamicGroup(OrganizationalModel):
 
         self.filter = new_filter
 
+    set_filter.alters_data = True
+
     def get_initial(self):
         """
         Return an form-friendly version of `self.filter` for initial form data.
@@ -693,6 +697,8 @@ class DynamicGroup(OrganizationalModel):
         instance = self.children.through(parent_group=self, group=child, operator=operator, weight=weight)
         return instance.validated_save()
 
+    add_child.alters_data = True
+
     def remove_child(self, child):
         """
         Remove a child group.
@@ -703,6 +709,8 @@ class DynamicGroup(OrganizationalModel):
         instance = self.children.through.objects.get(parent_group=self, group=child)
         return instance.delete()
 
+    remove_child.alters_data = True
+
     def get_descendants(self, group=None):
         """
         Recursively return a list of the children of all child groups.

nautobot/extras/models/jobs.py

@@ -738,6 +738,8 @@ class JobResult(BaseModel, CustomFieldModel):
                     duration.total_seconds()
                 )
 
+    set_status.alters_data = True
+
     @classmethod
     def enqueue_job(cls, func, name, obj_type, user, *args, celery_kwargs=None, schedule=None, **kwargs):
         """
@@ -805,6 +807,8 @@ class JobResult(BaseModel, CustomFieldModel):
 
         return job_result
 
+    enqueue_job.__func__.alters_data = True
+
     def log(
         self,
         message,
@@ -868,6 +872,8 @@ class JobResult(BaseModel, CustomFieldModel):
 
         return log
 
+    log.alters_data = True
+
 
 #
 # Job Button
@@ -945,6 +951,8 @@ class ScheduledJobs(models.Model):
         if not instance.no_changes:
             cls.update_changed()
 
+    changed.__func__.alters_data = True
+
     @classmethod
     def update_changed(cls, raw=False, **kwargs):
         """This function acts as a signal handler to track changes to the scheduled job that is triggered after a change"""
@@ -952,6 +960,8 @@ class ScheduledJobs(models.Model):
             return
         cls.objects.update_or_create(ident=1, defaults={"last_update": timezone.now()})
 
+    update_changed.__func__.alters_data = True
+
     @classmethod
     def last_change(cls):
         """This function acts as a getter for the last update on scheduled jobs"""

nautobot/extras/models/models.py

@@ -466,6 +466,8 @@ class ExportTemplate(BaseModel, ChangeLoggedModel, RelationshipModel, NotesMixin
         ):
             raise ValidationError({"name": "An ExportTemplate with this name and content type already exists."})
 
+    clean.alters_data = True
+
 
 #
 # File attachments

nautobot/extras/models/secrets.py

@@ -4,8 +4,8 @@ from django.core.exceptions import ValidationError
 from django.core.serializers.json import DjangoJSONEncoder
 from django.db import models
 from django.urls import reverse
-
-from jinja2.exceptions import UndefinedError, TemplateSyntaxError
+from jinja2.exceptions import TemplateSyntaxError, UndefinedError
+from jinja2.sandbox import unsafe
 
 from nautobot.core.fields import AutoSlugField
 from nautobot.core.models import BaseModel
@@ -78,6 +78,7 @@ class Secret(PrimaryModel):
         except (TemplateSyntaxError, UndefinedError) as exc:
             raise SecretParametersError(self, registry["secrets_providers"].get(self.provider), str(exc)) from exc
 
+    @unsafe
     def get_value(self, obj=None):
         """Retrieve the secret value that this Secret is a representation of.
 
@@ -97,6 +98,8 @@ class Secret(PrimaryModel):
         except Exception as exc:
             raise SecretError(self, provider, str(exc)) from exc
 
+    get_value.do_not_call_in_templates = True
+
     def clean(self):
         provider = registry["secrets_providers"].get(self.provider)
         if not provider:
@@ -137,6 +140,7 @@ class SecretsGroup(OrganizationalModel):
     def to_csv(self):
         return (self.name, self.slug, self.description)
 
+    @unsafe
     def get_secret_value(self, access_type, secret_type, obj=None, **kwargs):
         """Helper method to retrieve a specific secret from this group.
 
@@ -145,6 +149,8 @@ class SecretsGroup(OrganizationalModel):
         secret = self.secrets.through.objects.get(group=self, access_type=access_type, secret_type=secret_type).secret
         return secret.get_value(obj=obj, **kwargs)
 
+    get_secret_value.do_not_call_in_templates = True
+
 
 @extras_features(
     "graphql",

nautobot/extras/secrets/__init__.py

@@ -1,5 +1,7 @@
 from abc import ABC, abstractmethod
 
+from jinja2.sandbox import unsafe
+
 from nautobot.extras.registry import registry
 
 from .exceptions import SecretError, SecretParametersError, SecretProviderError, SecretValueNotFoundError
@@ -31,6 +33,7 @@ class SecretsProvider(ABC):
 
     @classmethod
     @abstractmethod
+    @unsafe
     def get_value_for_secret(cls, secret, obj=None, **kwargs):
         """Retrieve the stored value described by the given Secret record.
 
@@ -41,6 +44,17 @@ class SecretsProvider(ABC):
             obj (object): Django model instance or similar providing additional context for retrieving the secret.
         """
 
+    get_value_for_secret.__func__.do_not_call_in_templates = True
+
+    def __init_subclass__(cls, **kwargs):
+        # Automatically apply protection against Django and Jinja2 template execution to child classes.
+        if not getattr(cls.get_value_for_secret, "do_not_call_in_templates", False):  # Django
+            cls.get_value_for_secret.__func__.do_not_call_in_templates = True
+        if not getattr(cls.get_value_for_secret, "unsafe_callable", False):  # Jinja @unsafe decorator
+            cls.get_value_for_secret.__func__.unsafe_callable = True
+
+        super().__init_subclass__(**kwargs)
+
 
 def register_secrets_provider(provider):
     """

nautobot/extras/tests/test_models.py

@@ -86,6 +86,13 @@ class ComputedFieldTest(TestCase):
             fallback_value="An error occurred while rendering this template.",
             weight=50,
         )
+        self.evil_computed_field = ComputedField.objects.create(
+            content_type=ContentType.objects.get_for_model(Secret),
+            slug="evil_computed_field",
+            label="Evil Computed Field",
+            template="{{ obj.get_value() }}",
+            weight=666,
+        )
         self.blank_fallback_value = ComputedField.objects.create(
             content_type=ContentType.objects.get_for_model(Site),
             slug="blank_fallback_value",
@@ -94,6 +101,18 @@ class ComputedFieldTest(TestCase):
             weight=50,
         )
         self.site1 = Site.objects.first()
+        self.secret = Secret.objects.create(
+            name="Environment Variable Secret",
+            provider="environment-variable",
+            parameters={"variable": "NAUTOBOT_ROOT"},
+        )
+        self.secrets_group = SecretsGroup.objects.create(name="Group of Secrets")
+        SecretsGroupAssociation.objects.create(
+            group=self.secrets_group,
+            secret=self.secret,
+            access_type=SecretsGroupAccessTypeChoices.TYPE_GENERIC,
+            secret_type=SecretsGroupSecretTypeChoices.TYPE_SECRET,
+        )
 
     def test_render_method(self):
         rendered_value = self.good_computed_field.render(context={"obj": self.site1})
@@ -107,6 +126,13 @@ class ComputedFieldTest(TestCase):
         rendered_value = self.bad_computed_field.render(context={"obj": self.site1})
         self.assertEqual(rendered_value, self.bad_computed_field.fallback_value)
 
+    def test_render_method_evil_template(self):
+        rendered_value = self.evil_computed_field.render(context={"obj": self.secret})
+        self.assertEqual(rendered_value, "")
+        self.evil_computed_field.template = "{{ obj.secrets_groups.first().get_secret_value('Generic', 'secret') }}"
+        rendered_value = self.evil_computed_field.render(context={"obj": self.secret})
+        self.assertEqual(rendered_value, "")
+
 
 class ConfigContextTest(TestCase):
     """

nautobot/extras/views.py

@@ -356,6 +356,7 @@ class CustomFieldListView(generic.ObjectListView):
     queryset = CustomField.objects.all()
     table = tables.CustomFieldTable
     filterset = filters.CustomFieldFilterSet
+    filterset_form = forms.CustomFieldViewFilterForm
     action_buttons = ("add",)
 
 

nautobot/ipam/filters.py

@@ -181,7 +181,7 @@ class AggregateFilterSet(NautobotFilterSet, IPAMFilterSetMixin, TenancyModelFilt
 class RoleFilterSet(NautobotFilterSet, NameSlugSearchFilterSet):
     class Meta:
         model = Role
-        fields = ["id", "name", "slug"]
+        fields = ["id", "name", "slug", "weight"]
 
 
 class PrefixFilterSet(

nautobot/ipam/forms.py

@@ -334,6 +334,12 @@ class RoleForm(NautobotModelForm):
         ]
 
 
+class RoleFilterForm(NautobotFilterForm):
+    model = Role
+    q = forms.CharField(required=False, label="Search")
+    weight = forms.IntegerField(required=False, label="Weight")
+
+
 class RoleCSVForm(CustomFieldModelCSVForm):
     class Meta:
         model = Role